top of page

Upgrade to a Rent Reporting Tenancy

1. Property Address

Please select an option from the dropdown addresses*

2. Property Details

3. Deposit

4. Prepayment

5. Tenants

6 Tenancy Dates

7 Payment Reference

8 Tenancy agreement Upload

Choose File

9 Additional notes

Cancel

Please select an option from the dropdown addresses*

LEGAL BASES FOR STORING TENANT DATA

  1. Performance of a Contract (Article 6(1)(b), UK GDPR)

    • You need certain tenant data (name, contact details, payment info) to fulfill the tenancy agreement (collect rent, maintain the property, communicate with tenants, etc.).

    • Examples: phone/email for repairs and notices; rent payment records; deposit details.

    • Constraints: Only collect what is necessary to manage the tenancy.

  2. Legal Obligation (Article 6(1)(c), UK GDPR)

    • Some data is mandated by law or regulation.

    • Examples:

      • “Right to Rent” checks (retain ID copies to prove compliance).

      • Gas safety certificates (must keep relevant occupant details).

    • Constraints: Only store the data specifically required by law and keep it only as long as needed to prove compliance.

  3. Legitimate Interests (Article 6(1)(f), UK GDPR)

    • You can store data for legitimate business interests that the tenant would reasonably expect in a landlord/tenant relationship (rent payment tracking, references for disputes, etc.).

    • Examples:

      • Logging overdue rent or contact notes.

      • Storing a forwarding address to chase arrears.

    • Constraints:

      • Must do a Legitimate Interests Assessment if the impact on tenant privacy could be significant.

      • Always store only data relevant to that interest; do not store extra or sensitive data that is not strictly needed.

WHAT YOU CAN KEEP (CATEGORIES OF DATA)

  1. Basic Identifiers

    • Name(s), Date of Birth (if relevant, e.g. to confirm ID), Contact Info (phone, email, postal address).

    • Justification: Required for the contract (communicating about rent, repairs) or legitimate interests (record-keeping).

  2. Tenancy-Related Financial Info

    • Rent Amount, Payment Frequency, Deposit Info (amount paid, scheme details if protected), Rent Payment History (dates, amounts, references), Arrears records, Prepayments.

    • Justification: Contract (to track obligations), legal obligations (deposit scheme rules), or legitimate interests (pursuing overdue rent).

  3. Bank Details (Limited)

    • Account number, Sort code if you need to refund deposits or track rent payments.

    • Justification: Contract or legitimate interests.

    • Constraints: Keep only what is needed for rent/refunds; securely stored; do not store the entire card number if you only need an account number.

  4. Right to Rent / ID Copies

    • Passport / ID scans if you must comply with Right to Rent checks (or similar legal obligations).

    • Justification: Legal obligation.

    • Constraints: Retain only for the required period (e.g., length of tenancy + up to 1 year), then delete.

  5. Payment Reference

    • A reference code or text the tenant should use in bank transfers for easy reconciliation.

    • Justification: Contract or legitimate interests (making sure you can identify each payment).

  6. Contract & Agreement Documents

    • Signed tenancy agreement (paper or digital), any amendments, renewal docs, etc.

    • Justification: Contract and/or legal requirements (you need them for a potential dispute or legal compliance).

  7. Maintenance / Repair Logs

    • Dates, nature of repairs, contractor used, cost, relevant occupant details (name, phone) if needed for scheduling.

    • Justification: Contract (obligation to maintain property) or legitimate interests (record-keeping).

  8. References & Credit Checks

    • Credit reference results, landlord references (like summary of prior tenancies).

    • Justification: Typically legitimate interests (vetting a tenant) or legal if referencing is mandated (in some limited scenarios).

    • Constraints: Data minimisation – keep only relevant credit info, not extraneous personal details.

  9. Correspondence / Notes

    • Emails, messages about disputes, rent reminders, or general communications.

    • Justification: Legitimate interests (managing the tenancy, having a record in case of dispute).

    • Constraints: Only keep necessary messages. After the tenancy ends and enough time has passed for dispute resolution (often 6 years), consider deleting.

WHAT YOU SHOULD NOT KEEP (OR HANDLE WITH CAUTION)

  1. Special Category Data (Sensitive Info)

    • Race, religion, health data, biometrics, sexual orientation, etc.

    • Storing or processing this generally requires explicit consent or a legal reason. Rarely needed in standard tenancies.

    • If a tenant volunteers disability details for a reasonable adjustment, store it only for that specific purpose and secure it carefully.

  2. Criminal Records

    • Typically no unless you have a very specific justification (e.g., a tenant reveals an unspent conviction).

    • This is heavily regulated, so avoid storing it unless required by law or absolutely necessary.

  3. Irrelevant Personal Details

    • Social media profiles, personal lifestyle preferences, family background, etc. These are not needed for normal letting and should not be collected or retained.

  4. Excessive ID or Payment Data

    • Full credit card details if you only need an account number, or entire passport scans stored indefinitely after checks are done.

    • Minimising to what is strictly needed is crucial.

HOW LONG YOU CAN KEEP IT

  • During Tenancy: Retain all necessary data.

  • After Tenancy: If data is needed for legal or contractual reasons (e.g. potential disputes, deposit return, tax records), you may keep it typically up to 6 years (the usual limitation period for contract claims). If there’s an ongoing dispute, keep records until it’s resolved.

  • Data Minimisation: If certain info is no longer needed, delete or anonymize it.

SUMMARY OF JUSTIFICATION

  1. Contractual Necessity: Name, contact info, rent details, deposit, agreement documents, references relevant to performing and enforcing the tenancy contract.

  2. Legal Obligation: Right-to-rent checks, gas safety certificates referencing occupant details, or any statutory records you must keep.

  3. Legitimate Interests: Additional details you need for normal letting business (rent tracking, logs of communications, mild referencing info) as long as you balance your needs with tenant privacy and only keep relevant data.

Consent is generally not required for these standard landlord tasks because you can rely on the above lawful bases. However, you must provide a privacy notice explaining what data you collect and why, how long you keep it, and who you share it with.

Final Word

Within UK GDPR, as a landlord or agent, you can lawfully store:

  • Essential identifying and contact info for each tenant.

  • Rent and deposit details (including payment references).

  • Lease agreements and basic referencing/credit info.

  • Maintenance and repair records involving the tenant.

  • Communication logs necessary for the tenancy.

You must keep it secure, only as long as necessary, and avoid collecting or storing unnecessary or sensitive personal data. Doing so ensures you have a valid legal basis (contract, legal obligation, or legitimate interest) and remain compliant with UK GDPR.

UK GDPR Compliance for Tenant Data on Third-Party Platforms

Using Third-Party Platforms for Tenant Data

Landlords and letting agents are permitted to store tenant data on third-party platforms (such as an online tenancy management service), provided this is done in compliance with UK GDPR. In these cases, the landlord/agent remains the Data Controller and the platform acts as a Data Processor handling data on the controller’s behalf​

gdpr-advisor.com

. This arrangement is lawful so long as proper safeguards are in place – notably a written Data Processing Agreement (DPA) that defines how the platform will process and protect the data. Even when using a third-party service, the landlord/agent remains ultimately responsible for ensuring the tenant’s data is handled lawfully and securely​

gdpr-advisor.com

. In practice, this means landlords must choose GDPR-compliant platforms and ensure all processing of tenant information via the service adheres to data protection principles.

Data the Platform Can Collect and Process

Only personal data necessary for managing the tenancy should be collected and stored on the platform (this aligns with GDPR’s data minimisation principle). The platform can lawfully handle typical tenant information needed for tenancy management, for example:

  • Identification and Contact Details: Names, addresses, contact numbers, email addresses, and age/date of birth of tenants​

    blog.home-made.com

    .

  • Tenancy and Contract Details: Tenancy applications, signed tenancy agreements, rental records, and related correspondence​

    blog.home-made.com

    .

  • Financial and Reference Information: Financial details like income or employer (for referencing), bank account information for rent payments​

    blog.home-made.com

    , and references from previous landlords or credit checks as needed to vet and manage the tenancy​

    mylawyer.co.uk

    .

Note: Under UK GDPR the platform should only collect data that is necessary for the stated purposes of tenancy administration​

gdpr-advisor.com

. Unnecessary or excessive data (especially any sensitive personal data not needed for renting) should be avoided. The platform must also store the data securely and maintain its accuracy, regularly updating or deleting information that is no longer relevant​

gdpr-advisor.com

.

Lawful Basis for Processing (Consent vs. Legitimate Interest)

Explicit tenant consent is generally not required for storing or processing tenant data in the landlord/tenant context, as long as another lawful basis applies. In a rental scenario, data processing is usually justified by “contractual necessity” (performance of the tenancy agreement) or the landlord’s legitimate interests in managing the property​

blog.home-made.com

. Landlords and agents have a clear need to process personal data to fulfill the tenancy contract and meet legal obligations (e.g. referencing, rent collection, safety checks), which GDPR recognizes as valid grounds. In fact, guidance cautions against relying on consent in a landlord-tenant relationship – consent can be problematic due to the imbalance of power and because a tenant could withdraw consent at any time​

mylawyer.co.uk

. Instead, the platform and landlord can rely on the landlord’s legitimate interests or contractual requirements to lawfully process tenant data. This means your service does not typically need to obtain separate explicit consent from tenants for core tenancy management activities, provided the data use is limited to what is necessary for the tenancy and disclosed to the tenant (e.g. via the landlord’s privacy notice)​

blog.home-made.com

.

Restrictions on the Platform’s Use of Tenant Data

UK GDPR imposes several restrictions and obligations on how the platform may use and share tenant personal data. Key points to ensure compliance include:

  • Purpose Limitation: Tenant data collected for tenancy management must only be used for that original purpose and related services the landlord requires​

    blog.home-made.com

    . The platform should not repurpose the data for unrelated activities without a further lawful basis. (For example, data provided to screen or contact a tenant should not be used for marketing a third-party product without permission.)

  • Limited Sharing: The platform must not share tenant data with outside parties except as authorized and necessary. Sharing should be limited to parties involved in the tenancy (for instance, passing necessary details to a maintenance contractor or utility company with a valid reason) and should be disclosed to the tenant. It is strictly forbidden to sell or transfer tenant information to any unrelated third party for profit or marketing – that would be an unlawful use of the data​

    blog.home-made.com

    . All third-party disclosures should be transparent and covered by a lawful basis (e.g. the landlord’s legitimate interest in notifying utility providers of a new tenant).

  • Data Analysis and Profiling: If the platform performs any analysis on tenant data (for example, aggregating rental payment history to improve services), it must ensure compliance with GDPR. Ideally, analysis should use anonymised or aggregated data that cannot identify individual tenants, which removes GDPR concerns. If any analytics involve personal data, the platform needs a valid legal basis (often its own legitimate interest) and must inform landlords/tenants of this use. Importantly, any such processing should not conflict with the original purposes for which the data was collected. In practice, this means the platform can analyze usage trends or improve features, but it cannot profile or make decisions about individual tenants that go beyond the scope of tenancy management without additional consent or legal justification.

  • Storage and Retention: The platform should adhere to data retention limits. Tenant data shouldn’t be kept indefinitely “just in case.” Instead, it must be stored only for as long as necessary to fulfill the tenancy and related legal requirements​

    blog.home-made.com

    . For example, during an active tenancy the data is clearly needed; after a tenancy ends, the platform and landlord might retain certain records for a defined period (e.g. to handle deposit disputes, comply with legal record-keeping duties, or address any claims). Once that period expires and there’s no legitimate need to hold the data, it should be securely deleted or anonymized​

    blog.home-made.com

    . Your platform should have a retention policy aligned with landlords’ needs and UK GDPR (which might specify, for instance, deleting or exporting tenant records a certain number of years after tenancy end, unless law requires longer retention).

Additionally, the platform must uphold core GDPR principles like data accuracy (keeping information up to date) and confidentiality. It should not use tenant data for any new purpose that the tenant and landlord have not been informed of. By limiting use and sharing, and by enforcing retention periods, the platform ensures it only processes tenant data in fair and expected ways, maintaining compliance and tenant trust​

blog.home-made.com

blog.home-made.com

.

Platform’s UK GDPR Responsibilities

As a provider of a tenancy management platform handling personal data, your service has specific GDPR responsibilities to ensure lawful processing and safeguard tenant information:

  • Data Processor Obligations: In most cases the platform will function as a Data Processor for the landlord/agent (who is the Data Controller). This means the platform must process tenant data only on documented instructions from the landlord and for the purposes they specify​

    gdpr-advisor.com

    . The platform should not decide on its own to use the data in new ways outside the landlord’s direction. GDPR requires processors to assist the controller in meeting GDPR obligations and to never use the data for their own independent purposes.

  • Data Processing Agreement (DPA): The platform must have a contract in place with each landlord or agent (the controller) that meets GDPR’s requirements for processor agreements​

    gdpr-advisor.com

    . This DPA should clearly set out the scope of processing, the types of data, duration, and the duties of the platform – including confidentiality requirements, sub-processor approval, handling of data breaches, and assistance with data subject rights. Having a proper DPA not only is a legal requirement​

    privasee.io

    , but it also protects both parties by clarifying responsibilities.

  • Security Measures: As a data processor, the platform is obligated to implement appropriate technical and organisational security measures to protect tenant data. This includes using strong encryption and secure storage for digital data, access controls to ensure only authorized personnel/systems can access the information, regular security testing, and maintaining up-to-date protections against threats​

    gdpr-advisor.com

    . For example, all tenant records in the system should be password-protected (with robust password policies), encrypted in transit and at rest as appropriate, and stored on secure servers. The platform should also have procedures for regular backups and the ability to restore data, as well as processes to detect and respond to any security incidents. By law, if the platform discovers a data breach involving tenant info, it must inform the landlord (controller) without undue delay so that the ICO and affected individuals can be notified by the controller if required.

  • Data Protection Compliance & ICO Registration: Your platform company itself will have GDPR obligations beyond just processing data for others. In providing the service, the platform inevitably handles personal data (e.g. landlord account details, and possibly is entrusted with tenant data), which means it should register with the ICO and pay any required data protection fee (as most organizations processing personal data must do)​

    bishopandsewell.co.uk

    . Typically, landlords are required to register because processing tenant data triggers the legal requirement​

    bishopandsewell.co.uk

    , and a tech platform managing such data would similarly need to ensure it’s properly registered (unless fully exempt, which is unlikely)​

    bishopandsewell.co.uk

    . The platform should also maintain its own privacy policy and internal data protection practices in line with GDPR, effectively acting as a Data Controller for the customer data it collects (like landlords’ business information or platform user accounts). This means adhering to all seven GDPR principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality) in its operations​

    ico.org.uk

    ico.org.uk

    .

  • Supporting Data Subject Rights: Under UK GDPR, tenants (as data subjects) have rights such as access to their data, rectification, erasure, and the right to object. While the landlord/controller is primarily responsible for handling any tenant requests to exercise these rights, the platform as a processor should be ready to assist. For instance, if a tenant submits a subject access request to the landlord, the platform must help retrieve all the tenant’s data it holds for that landlord and not impede deletion or correction of data on request. The DPA and the platform’s functionality should accommodate these requirements (e.g. allowing landlords to extract or delete tenant records on request)​

    gdpr-advisor.com

    . The platform should also only engage approved sub-processors (like cloud hosting providers or communication tools) with the controller’s permission and ensure those sub-processors uphold the same data protection standards.

In summary, your platform can indeed lawfully host and process tenant information on behalf of landlords and agents if all GDPR requirements are met. By acting in the capacity of a diligent data processor – with proper contracts, robust security, and respect for privacy principles – and by relying on appropriate lawful bases (contractual necessity or legitimate interests), the platform, landlords, and agents can confidently use the service to manage tenancy data in full compliance with UK GDPR​

blog.home-made.com

gdpr-advisor.com

. The focus should always be on transparency, data minimisation, and protecting the tenant’s rights and privacy at every step.

bottom of page